Monday, July 21, 2008

Solaris vs. NT Bloggershoot Security Smackdown

People ask which OS is more bullet-proof, Microsoft's Windows NT series (NT/2000/2003) or Sun Solaris. We had an excellent opportunity to put this to the test, to try to resolve the question once and for all.

A quick note on our testing: We used a Sun Sparcstation 10 and an HP somethingorother, both shown in laboratory prep here. Our exploits were pretty diverse, as you would expect from a large and experienced group of penetration testers. Favorites included 7.62x54mmR, with a fair amount of 5.56 NATO, and smattering of 9mm and .45 ACP. All in all, a normal Pen Test configuration.

The NT system, as many suspected, had rather a lot of holes:















It did, however, remain standing when the smoke figuratively settled. Or literally, in this case.

Solaris was both more and less robust. Many fewer observed holes, but the server was surprisingly easy to knock over, so it would appear to be more subject to Denial of Service (DoS) attacks, or Jay's 16 20 gauge slugs:














Jay will be posting a vulnerability announcement to bugtraq shortly.

So what conclusions can we draw from all this? There are a lot more holes than you'd expect in standard server-class Operating Systems, at least at a Blogshoot. On the other hand, both NT and Solaris are much, much more robust than fruit (Watermelon in this particular case).

Left unanswered is whether Macintosh - particularly old obsolete Macs would be more resistent to remote exploits. Sorry, the range doesn't allow targets containing glass.

3 comments:

Jay G said...

Correction: 20 gauge slugs.

I have many scatterguns chambered in 16 gauge. I don't have the time nor the expense account to chase down 16 gauge ammunition...

Heh. Great pics!!!

Borepatch said...

Fixed.

doubletrouble said...

Perhaps you needed a more efficient firewall?

Heh.